The FBI is preparing to accelerate the collection of DNA profiles for the government's massive new biometric identification database.

Developers of portable DNA analysis machines have been invited to a Nov. 13 presentation to learn about the bureau's vision for incorporating their technology into the FBI's new database.

So-called rapid DNA systems can draw up a profile in about 90 minutes.

DNA has been an integral part of criminal investigations for a number of years now and there's no question it has played an important role both in securing convictions and exonerating the falsely accused. But what the FBI is proposing is adding input from lab-in-a-box setups that return pass/fail DNA matches in a relative instant.

Rapid DNA analysis can be performed by cops in less than two hours, rather than by technicians at a scientific lab over several days. The benefit for law enforcement is that an officer can run a cheek swab on the spot or while an arrestee is in temporary custody. If there is a database match, they can then move to lock up the suspect immediately.

What used to take days in a secure, sterile lab now can apparently be accomplished in the "field" in a couple of hours. All technological improvements aside, this would appear to be a much less reliable method. Field drug testing kits have been available for years -- which utilize nothing more complex than chemical reactions -- and they've been shown to be far more unreliable than those utilizing them would have you believe. The same can most certainly be said about portable or on-site units wholly divorced from the normal constraints of a lab setting.

The government (so far) realizes this. That's why DNA obtained and analyzed by these units aren't included in the national DNA database. Only results from accredited public-sector laboratories are accepted. The companies manufacturing these devices are obviously interested in seeing this law changed. In the meantime, they've pushed for states to create their own DNA databases.

The FBI would like to see this changed as well, going so far as to issue a statement that is mostly wishful thinking.

FBI officials say their program does not impact any laws currently governing the operation of CODIS. Rapid DNA techniques in booking stations, “will simply expedite the analysis and submission of lawfully obtained samples to the state and national DNA databases,” [Ann] Todd, the FBI spokeswoman, said.

Except that it would impact laws governing CODIS… as they are today.

A legislative tweak is needed to allow DNA processed by a portable machine to be entered into the FBI's systems, bureau officials acknowledge.

Again, the FBI places efficiency above everything else. "Tweaking" the law to include portable devices would "expedite" the filling of the FBI's biometric database. Faster is better, even if the analysis method isn't as reliable as that performed by accredited labs. False positives/negatives are just the acceptable collateral damage of "combating crime and protecting the United States."

There's a huge backlog of untested DNA waiting for CODIS-qualified lab analysis. Offloading some of the work to private labs or portable devices sounds like a great way ease that congestion, but it actually could create more problems. If the government believes that only its chosen labs are capable of producing solid analysis, fixes like those suggested by three California Congressional reps would ask law enforcement (including the FBI) to decide which evidence goes the Gold Standard labs and what gets passed along to the lesser, unproven venues.

When presented with this set of options, law enforcement may prioritize cases badly, routing "time-sensitive" evidence through unproven but quicker analysis while sending out anything that can "wait" to the government's labs. Basically, without an across-the-board certification of all methods (with rigid testing and re-testing to ensure quality) as being equal, there's a good chance collected DNA will be treated just as prejudicially as the suspects themselves. And, if the expansion of CODIS inputs isn't handled with rigorous oversight, the chances of the guilty going free and the innocent being imprisoned increases.

Permalink | Comments | Email This Story
]]>to-preserve-the-integrity-of-your-precious-bodily-fluidshttps://www.techdirt.com/comment_rss.php?sid=20140925/08400128639Fri, 26 Sep 2014 04:10:09 PDTFBI's Biometric Program Blends Criminal And Non-Criminal Data For 'Efficiency,' Obsessed With Tracking Care ProvidersTim Cushinghttps://www.techdirt.com/articles/20140925/05433028634/fbis-biometric-program-blends-criminal-non-criminal-data-efficiency-obsessed-with-tracking-care-providers.shtml
https://www.techdirt.com/articles/20140925/05433028634/fbis-biometric-program-blends-criminal-non-criminal-data-efficiency-obsessed-with-tracking-care-providers.shtmlhas rolled out, pretty much right on schedule and well ahead of the Privacy Impact Assessment it hasn't updated since the announcement of the "system upgrade" back in 2008.

EPIC has obtained another load of documents from an FOIA request dealing with the "Rap Back" portion of the NGI system, one that provides constant monitoring of certain people -- like suspected criminals, people on parole, employees with security clearances and "trusted positions." Notably, the Rap Back program does not track employees of the criminal justice system, and nothing in what's been obtained even suggests it can be used that way.

The FOIAed documents run 202 pages [pdf link] with tons of duplicate presentation slides and long lists of fully-withheld documents. As is par for the course with sloppy fulfillments like these, the redactions are inconsistent, raising questions about the legitimacy of the exemptions used to justify removal in one place but not another. For instance, two back-to-back copies of the same slide show the FBI has an interest in redacting "DHS" [using exemption b7(e) -- "disclosure of techniques and procedures for law enforcement investigations"], but not a consistent interest.

Elsewhere, the FBI goes into more specifics as to who's included in the term "trusted positions" -- something it offers a lifetime of active monitoring for if that's what the "customer" wishes.

It is imperative that the FBI maintain a complete CHRI database in order to provide customers with information necessary to make informed decisions regarding the backgrounds of individuals whether for criminal justice purposes, noncriminal justice purposes for employment, licensing, and gun permit matters, or for purposes of national and international security. Disposition data is information pertaining to the resolutions of arrest charges or the custody or supervisory status of subjects subsequent to convictions. Disposition data is the core of the criminal history database.

Further details indicate that "trusted positions" are actually just a variety of caretakers, rather than those in positions that contain a healthy mixture of power and access (i.e., law enforcement members).

Availability of complete computerized criminal records is vital for criminal investigations, prosecutorial charging, sentencing decisions, correctional supervision and release, and background checks for licensing, purchasing of handguns, and applying for child-care positions or other responsibilities involving children, the elderly, and the disabled.

While it is definitely preferable to have someone with a clean record providing caretaking services, you have to wonder why the FBI is so focused on monitoring this specific group of employees. There's been a push to include this group in its Rap Back program pretty much since the beginning. Further down in the document, presentation slides suggest making inroads with legislators to turn the FBI's monitoring preference into an integral part of federal law.

The FBI wants officials to target legislators as "champions" and includes documentation on existing and upcoming legislation where wording could be inserted to make participation in Rap Back mandatory.

Sections 4222 and 4223 would require the Office of Justice Programs to develop model screening guidelines to include a criminal background check. The Secretary of Education is authorized to award grants to those entities that have conducted background checks on mentors in accordance with these guidelines. The bill does not indicate how these checks would be conducted.

Section 3 of the bill expands the pilot program, as established under Section 307 of the Medicare Prescription Drug, Improvement, Modernization Act of 2003, to be conducted on a nationwide basis. Section 4 of the bill requires a state and FBI fingerprint criminal history background check on direct patient access applicants and employees of skilled nursing facilities and long-term care facilities. It also requires the state to develop "rap back capability. Section 5 also requires the FBI to develop "rap back" capability by January 1, 2011. The FBI would only be authorized to charge the actual costs of conducting the criminal history background check.

Elsewhere, the documents note that the FBI will be mixing its criminal and noncriminal databases -- for efficiency.

The existing LAFIS criminal and civil repositories are maintained as separate and distinct databases that do not allow for the automated transfer of records among repositories. The proposed IAFIS design change combines the records from the civil and criminal repositories into an interoperable repository. The repository design will facilitate the transition, search, addition, consolidation, modification, expungement, response generation, and file maintenance of criminal and civil information; provide the ability to search the civil records with remote latent fingerprint submissions; and support user required fingerprint search and notification capabilities. With this initiative, the records from the civil and criminal repositories will be maintained in one interoperable repository.

It also notes that in order to keep its fingerprint database up to date, it will need to pull from civil fingerprint records.

And, finally, sitting by itself, unduplicated anywhere else in the 202 duplicate-ridden pages, is a single slide dedicated to mandatory privacy considerations -- neither of which have been fulfilled even though the program is now fully operational.

There's no discussion included as to why the FBI is so focused on including caretakers and childcare providers in its lifelong monitoring program. In terms of its other stated interests (national security/counterterrorism, support for law enforcement), this seems like a much lower-level concern. While these positions would ideally be filled by citizens with clean records, constant updates from the criminal justice system seems a bit much -- especially when good employees may be forced out of work for unrelated infractions, like being arrested for exercising their First Amendment rights (filming public officials, attending protests) or marijuana possession.

It is notable that a legislative attempt to make this sort of monitoring mandatory for government contractors providing security services in war zones was shot down by the executive branch (p. 143). Apparently, it's more important to track caretakers than it is to ensure those operating security teams overseas (with a minimum of oversight) aren't former (or current) felons.

In all of the pages released, nothing deals directly with the program's privacy impact or its deliberate exclusion of criminal justice employees. No concerns are raised and no suggestions are made that law enforcement entities might do well to include their officers in the Rap Back monitoring system. And, even though the documents range from 2008-2011, there are no updated statistics that suggest the facial monitoring software has improved over its 20% error rate. Presumably, it has, but the FBI seems to feel the error rate isn't worth discussing (or releasing), even though that program actually went live in a four-state rollout three years ago.

The mixing of civil and criminal data should be the biggest concern, especially if the program pulls potential mug shots from both when seeking matches for facial recognition. There's a good reason to keep these separate. Blending both for efficiency's sake only makes the existing problem -- law enforcement's disinterest in ensuring that arrestees that were never charged or had records expunged are removed from the system -- even worse. Now, when Rap Back notifications are delivered, they have a higher potential to return data on noncriminals.

Permalink | Comments | Email This Story
]]>not-discussed?-privacy-impact-or-unintended-consequenceshttps://www.techdirt.com/comment_rss.php?sid=20140925/05433028634Thu, 3 Jul 2014 18:41:49 PDTPrivacy Rights Groups Ask Eric Holder To Ensure The FBI's Biometric Database Doesn't Become Just Another Domestic Surveillance ToolTim Cushinghttps://www.techdirt.com/articles/20140629/20374327729/privacy-rights-groups-ask-eric-holder-to-ensure-fbis-biometric-database-doesnt-become-just-another-domestic-surveillance-tool.shtml
https://www.techdirt.com/articles/20140629/20374327729/privacy-rights-groups-ask-eric-holder-to-ensure-fbis-biometric-database-doesnt-become-just-another-domestic-surveillance-tool.shtml
The FBI is continuing to push ahead with its development of a biometric database (Next Generation Identification, or NGI), which will combine old school fingerprints and background records with facial recognition technology and other biometric data.

The technology continues to improve, but the FBI originally greenlit the database back when it still allowed the database a 20% error rate on its facial recognition. That was back in 2010, and of course, the only reason we know the FBI was perfectly fine with a 1-in-5 screw up rate was because EPIC liberated this information with an FOIA request.

This is also being rolled out without the FBI providing an updated Privacy Impact Assessment, a mandatory document demanded by the DOJ. It told Congress in 2012 that it was working on producing one. It's still telling this same story in 2014, as detailed in a letter to Eric Holder, signed by the ACLU, the EFF, EPIC and several other civil liberties/privacy rights groups.

The FBI recognizes this transformation and, at a July 2012 Senate hearing, committed to updating its privacy assessment of the agency's use of facial recognition. Jerome Pender, Deputy Assistant Director of the FBI's Criminal Justice Information Service Division, stated in his statement for the record that "[a]n updated PIA is planned and will address all evolutionary changes since the preparation of the 2008 IPS PIA." Furthermore, Assistant Director Pender said the updated privacy assessment would have "an emphasis on Facial Recognition." Nearly two years later an updated privacy assessment has not been completed.

This lack of the required privacy assessment also has had little impact on the speed of the FBI's NGI rollout. It has stated that it hopes to have the program fully operational in "fiscal year 2014." In the slight defense of the FBI, there's plenty of "privacy impact" to "assess."

The NGI database not only gathers criminal records from across multiple state and federal databases but also pulls in non-criminal data gathered from federal employees and employer background checks. This database, containing photographs, iris recognition data, palm prints and vast numbers of information collected from existing databases will be accessible by local law enforcement agencies. The possibilities for abuse are nearly endless, and the program itself is far from flawless when it comes to correctly identifying suspects.

According to an FBI study, the quality of images in the database is inconsistent and often of low resolution. Partly for this reason, the FBI doesn’t promise accuracy in its search results. Instead, it ensures only that “the candidate will be returned in the top 50 candidates” 85% of the time “when the true candidate exists in the gallery.” In fact, the overwhelming number of matches will be false. This false-positive risk could result in even greater racial profiling by disproportionately shifting the burden of identification onto certain ethnicities. The false-positive risk can also alter the traditional presumption of innocence in criminal cases by placing more of a burden on the suspect to show he is not who the system identifies him to be. And this is true even if a face recognition system such as NGI offers several results for a search instead of one, because each of the people identified could be brought in for questioning, even if he or she has no relationship to the crime.

To head off abuse, the letter asks the Attorney General to ensure that the database only collects data on "individuals who are part of the criminal justice system." It also asks Holder to prevent the NGI program from becoming just another way for the FBI (and its partners in law enforcement) to surveill innocent Americans.

Those signing this letter likely know that neither Holder nor the FBI are particularly sympathetic to the privacy interests of Americans, but the letter does create another opportunity to bring the issue to the attention of the public. Enough public pressure can push agencies in the right direction, especially if the public also gets its representatives involved. There's been surprisingly little oversight of the FBI's activities, especially with the NSA claiming most of the oversight spotlight in recent months, but the ACLU and others are always there to remind citizens that there's more than one agency playing fast and loose with American's privacy.

Permalink | Comments | Email This Story
]]>give-us-your-address,-your-shoe-size,-your-yearshttps://www.techdirt.com/comment_rss.php?sid=20140629/20374327729Mon, 23 Sep 2013 05:30:05 PDTTime To Change Your Fingerprints: Apple's Fingerprint Scanner Already HackedMike Masnickhttps://www.techdirt.com/articles/20130923/01162724617/time-to-change-your-fingerprints-apples-fingerprint-scanner-already-hacked.shtml
https://www.techdirt.com/articles/20130923/01162724617/time-to-change-your-fingerprints-apples-fingerprint-scanner-already-hacked.shtmlto crack TouchID "using everyday means." You can see a video of them getting into a new iPhone with a different finger:

It appears that they've used the same basic method as has been used to hack fingerprint scanners in the past -- get a high quality image of the user's fingerprint and then:

The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.

The only "difference" here is that they needed to use a higher resolution in the printing to match the higher resolution of Apple's scanner. CCC points out, as others have in the past, that this should remind people that fingerprint scanning is not very secure.

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.

iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

It wasn't difficult to assume that this would happen. What's surprising is that Apple doesn't seem to have considered this fact.

Permalink | Comments | Email This Story
]]>no problem, just change your... oh waithttps://www.techdirt.com/comment_rss.php?sid=20130923/01162724617Thu, 27 Jun 2013 16:28:17 PDTEFF Sues FBI: Hey Before You Launch New Face Recognition Tool, Can You Respond To Our FOIA On Old Tool?Mike Masnickhttps://www.techdirt.com/articles/20130626/17344923630/eff-sues-fbi-hey-before-you-launch-new-face-recognition-tool-can-you-respond-to-our-foia-old-tool.shtml
https://www.techdirt.com/articles/20130626/17344923630/eff-sues-fbi-hey-before-you-launch-new-face-recognition-tool-can-you-respond-to-our-foia-old-tool.shtmlhave now sued the FBI concerning a set of Freedom of Information Act (FOIA) requests that the FBI has failed to respond to concerning its use of various biometric tools, such as face recognition. The EFF finds this to be especially pernicious, since the FBI has gleefully announced plans to expand these efforts, without any information or public debate on how its existing programs have worked (or, as the case may be, not worked):

In the complaint filed with the U.S. District Court for the Northern District of California, EFF is asking a judge to enforce EFF's FOIA requests, which were sent to the FBI in June and July of last year. The information sought includes agreements and discussions between the FBI and various state agencies regarding the face-recognition program; records addressing the reliability of face-recognition technology; and documentation of the FBI's plan to merge civilian and criminal records in a single repository. EFF is also seeking disclosure of the total number of face-recognition capable records currently in the FBI's database, as well as the proposed number at deployment.

NGI will have an unprecedented impact on Americans' privacy interests, and yet the FBI has not updated its Privacy Impact Assessment since 2008, well before it built the system and signed agreements with several states for an early roll-out of the program.

"Before the federal government decides to expand its surveillance powers, there needs to be a public debate," Lynch says. "But there can be no public debate until the details of the program are presented to the public."

Yet again, with our intelligence agencies, it appears that the federal government seems to feel that it can do whatever it wants, and any attempt to answer to the public is to be ignored at all costs.

Permalink | Comments | Email This Story
]]>just-sayinghttps://www.techdirt.com/comment_rss.php?sid=20130626/17344923630Fri, 6 Feb 2009 07:59:00 PSTBiometric ID Cards Come To Britain... Biometric ID Card Readers, Not So MuchCarlo Longinohttps://www.techdirt.com/articles/20090204/1935113654.shtml
https://www.techdirt.com/articles/20090204/1935113654.shtmlnobody has the equipment to read them. Neither police nor immigration officers, or any governmental body, has the proper readers to access the fingerprint information stored on the cards (which is perhaps why they've issued cops with portable fingerprint readers). Some people will probably argue that since the info on the cards can't be read, there's no privacy threat. Of course, all this says is that the government doesn't have any readers, but what about other folks? The recent story about the guy in San Francisco who was able to read RFID-enabled American passports and drivers' licenses with $250 worth of gear he bought on eBay highlights that just because the authorities that issued the cards can't read them, it's still possible that others can.